>At Tue, 5 Aug 2008 10:26:26 -0700, Dan Wing wrote: > > > -----Original Message----- > > From: Eric Rescorla [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2008 9:11 AM > > To: Dan Wing > > Cc: 'Eric Rescorla'; 'Elwell, John'; 'Hadriel Kaplan'; > > 'Jonathan Rosenberg'; 'Cullen Jennings'; 'SIP IETF'; 'Uzelac, Adam' > > Subject: Re: [Sip] Thoughts on SIP Identity issues > > > > At Tue, 5 Aug 2008 08:54:16 -0700, > > Dan Wing wrote: > > > > I haven't spent a long time examining > > > > draft-kaplan-sip-baiting, but as > > > > I recall, it's not the fault of 4474 failing to sign > > > > something that > > > > it should have but rather that it's inherent in the > > > > message-oriented > > > > nature of SIP. > > > > > > That distinction is not relevant to the victim. > > > > No, the distinction is relevant to the people responsible for > > technically addressing the issue, namely us. > > My interpretation of what you are saying is "SIP is message- > oriented, so SIP is vulnerable to baiting as described in > draft-kaplan-sip-baiting, and we can't fix it". > > I don't know if that is what you intended to say; if not, > please clarify.
What I'm saying is that a message-oriented system like SIP inherently has replay attacks. If you want to remove replay attacks, you'll need to do it at a separate layer. > > I don't actually think this characterization of 4474 is that accurate. > > RFC 4474 does not use the IP address for authenticating the media. > > Rather, it authenticates the IP address as well as the rest of the > > SDP > > Which draft-kaplan-sip-baiting shows is insufficient at its intended > purpose. Well, I guess that's one interpretation, but it's not mine. -Ekr _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
